Oct 18, 2009

Cloud Computing & Security

What is Cloud Computing?

Cloud computing is a general term for anything that involves delivering hosted services over the  internet. These services are broadly divided into three categories:

  • Infrastructure-as-a-Service (IaaS)
  • Platform-as-a-Service (PaaS) and
  • Software-as-a-Service (SaaS)

Five attributes of Cloud Computing

Gartner defines five attributes of Cloud Computing:

  • It is service-based.
  • It is scalable and elastic.
  • It uses shared infrastructure to build economies of scale.
  • It is metered and users pay according to usage.
  • Most importantly, it uses Internet technologies.

Infrastructure as a Service (IaaS)

  • Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components.
  • The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.
  • Infrastructure as a Service is sometimes referred to as Hardware as a Service (HaaS).

Characteristics and components of IaaS

Characteristics and components of IaaS include:

  • Utility computing service and billing model
  • Automation of administrative tasks
  • Dynamic scaling
  • Desktop virtualization
  • Policy-based services
  • Internet connectivity

Platform as a Service (PaaS)

Platform-as-a-service in the cloud is defined as a set of software and product development tools hosted on the provider's infrastructure.

  • Developers create applications on the provider's platform over the Internet.
  • PaaS providers may use APIs, website portals or gateway software installed on the customer's computer.
    Example : Google Apps

Software as a Service (SaaS)

  • Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.
  • SaaS is closely related to the ASP (application  service provider) and On Demand Computing software delivery models.

Service Model Architectures

image

Cloud Deployment Models

  • Private cloud - enterprise owned or leased
  • Community cloud - shared infrastructure for specific community
  • Public cloud - Sold to the public, mega-scale infrastructure
  • Hybrid cloud - composition of two or more clouds

Possible Effects of Cloud Computing

  • Small enterprises use public SaaS and public clouds and minimize growth of data centers
  • Large enterprise data centers may evolve to act as private clouds
  • Large enterprises may use hybrid cloud infrastructure software to leverage both internal and public clouds
  • Public clouds may adopt standards in order to run workloads from competing hybrid cloud infrastructures

Foundational Elements of Cloud Computing

Primary Technologies Other Technologies
Virtualization Autonomic Systems
Grid technology Web 2.0
Service Oriented Architectures Web application frameworks
Distributed Computing Service Level Agreements
Broadband Networks  
Browser as a platform  
Free and Open Source Software  

 

Cloud Security Vs. Security in Cloud

  • “Cloud Security”: this refers to the security of “the Cloud”, or more usefully, of a given cloud. Stepping back, we can use the term to refer to the general security aspects of Cloud Computing.
  • “Security in the Cloud”: this is about delivering security services via “the cloud”.

Security is the Major Issue

image

Cloud Computing Security Issues

According to analyst firm Gartner, customer  should consider following seven cloud computing security risks before selecting a cloud computing vendor 

Privileged User Access: Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls".

Regulatory Compliance: Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.

Data Location: When you use the cloud, you robably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

Data segregation: Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises.  The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and
even normal encryption can complicate availability," Gartner says.

Recovery: Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and  application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask
your provider if it has "the ability to do a complete restoration, and how long it will take."

Investigative support: Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing
set of hosts and data centers

Long-term viability: Ideally, cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

Best Practice for Companies in the cloud

  • Inquire about exception monitoring systems
  • Be vigilant around updates and making sure that staff don't suddenly gain access privileges they're not supposed to.
  • Ask where the data is kept and inquire as to the details of data protection laws in the relevant jurisdictions.
  • Seek an independent security audit of the host
  • Find out which third parties the company deals with and whether they are able to access your data
  • Be careful to develop good policies around passwords; how they are created, protected and changed.
  • Look into availability guarantees and penalties.
  • Find out whether the cloud provider will accommodate your own security policies

Is Cloud Computing behind Twitter hack?

  • What is being dubbed as the “Twitter Hack” has some questioning whether security is an issue for the phenomenon that is cloud computing.
  • The incident that sparked the debate was actually the hacking of a Google Apps account belonging to a Twitter employee. It has been reported that the exploit occurred because one of Twitter’s co-founders create a password for Google Apps that was easily guessed by a hacker.
  • This in turn, enabled the hacker to access and distribute important documents.
  • The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing.

Cloud Security Alliance

  • The Cloud Security Alliance is a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
  • The Cloud Security Alliance is comprised of many subject matter experts from a wide variety disciplines, united in following objectives:
  • Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.
  • Promote independent research into best practices for cloud computing security.
  • Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.
  • Create consensus lists of issues and guidance for cloud security assurance.

References

2 comments:

Anonymous said...

Great post! I've been searching for a thorough explanation of Cloud Computing, glad I was able to visit your blog. It would really be helpful for me. Thanks for the share. Until your next post! Thumbs up!

Denise

software as a service,saas

Anonymous said...

CSO at Zynga & Co-founder of Cloud Security Alliance, Nils Puhlmann will provide an overview of where we are today and what areas of cloud security are actively being worked on in the industry at the third season of Business Technology Summit 2o1o in Bangalore. Further he will discuss about the specific risk and threat areas and how can they be mitigated? What other security efforts are underway in the industry to ensure that security is a key part of every cloud offering? For more information log on to www.btsummit.com

Text Widget

Copyright © Vinay's Blog | Powered by Blogger

Design by | Blogger Theme by